PIPEDA: What You Should Know About Canada’s Data Privacy Law

PIPEDA, the Personal Information Protection and Electronic Documents Act, is a data privacy law part of Canada’s national private sector. Additionally, the Office of the Privacy Commissioner of Canada (OPC) officially enforces PIPEDA, while also enforcing Canada’s Privacy Act, which protects the rights of Canadian citizens.

PIPEDA Overview

PIPEDA governs how private Canadian companies are responsible for the collection, use, and disclosure of personally identifiable information (PII) during the course of their regular business activities. Furthermore, each organization is responsible for ensuring it collects only the information needed to conduct business, and that it stores and controls access to that information in a secure fashion. Additionally, companies must also make sure they destroy information securely as soon as it’s no longer needed. Hence, PIPEDA has strong breach notification provisions. Therefore, if an organization does experience a breach, it is obligated to report to those affected and to the OPC. However, failure to do so can result in significant fines and penalties.

PIPEDA Guidelines

Companies must comply with ten guidelines to be considered PIPEDA compliant:

  1. PIPEDA Accountability

    A representative must be appointed from within an organization, to consistently monitor whether all PIPEDA guidelines are met. Additionally, the organization must protect all personal information it holds, including any transferred to a third party for processing. As well, organizations are responsible for developing and implementing personal information policies.

  2. Identifying Purposes

    The organization must identify and document its purposes for collecting personal information, and tell customers why this information is needed. Furthermore, organizations must obtain consent from customers, both upon the first collection and when requiring additional information.

  3. Consent

    Before an organization can collect any information, it must first request consent, and it is also responsible for ensuring customers are clear on what they are consenting to. However, the ask for consent is only considered valid if it can be established customers truly understand the nature, purpose, and consequences of the collection, use, or disclosure of their personal information. As well, customers must be able to withdraw consent at any time.

  4. Limiting Collection

    Information must only be collected if it is absolutely necessary for an organization’s cause, and it be honest in its purpose for collection.

  5. Limiting Use, Disclosure, and Retention

    Personal information may only be used or disclosed for the causes explained at the time of gaining consent. Representatives of the organization must know where the information is stored and shared at all times.

  6. Accuracy

    Organizations are obligated to minimize the possibility of using incorrect information when making a decision about an individual or when disclosing information. This can be achieved by keeping personal information as accurate, complete, and up to date as necessary.

  7. Safeguards

    Information must be protected in a way that is appropriate to how sensitive it is. Organizations are obligated to protect information against loss, theft, or any unauthorized access, disclosure, copying, use, or modification.

  8. Openness

    Customers and employees must always be informed of policies and practices for managing personal information. Moreover, these practices must be easily understandable and available.

  9. Individual Access

    When asked, organizations must be able to explain where information was obtained, how it is used, and with whom it has been shared. Customers (or others who provided information) must also be able to access their information at little to no cost. Otherwise, the organization must explain the reason for not providing access.

  10. Challenging PIPEDA Compliance

    If someone chooses to challenge an organization’s PIPEDA compliance, that organization will present the representative accountable for PIPEDA compliance. Using the representative, the organization must develop a process for complaint handling and notify the claimant of their options. The organization must investigate all complaints

To Whom Does PIPEDA Apply?

PIPEDA compliance applies to any Canadian private-sector organization that collects, uses, or shares personal information in a commercial fashion. PIPEDA also applies to federally-regulated organizations like:

  • Airlines and airports
  • Banks
  • Telecommunications companies
  • Inter-provincial and international transportation companies

PIPEDA doesn’t apply to not-for-profit and charity groups, or political parties and associations unless they are engaging in commercial activities that don’t align with their purpose. The Office of the Privacy Commissioner of Canada explains more details on special cases of which organizations must comply with PIPEDA.

PIPEDA and QuickProtect

QuickProtect’s experts have extensive knowledge of the commercial collection of information and how to keep this data stored safely. We’re your business partner in ensuring that your organization is PIPEDA compliant now and in the future. Get in touch to speak to an expert about PIPEDA compliance!